About Me

My photo
This blog has been created to share technical information, interesting innovations that I notice on daily basis and Architectural/Consulting overview of various technologies. My areas of interest, on which I would be blogging, are VMware, Microsoft and Citrix Technologies. I hope you will enjoy this blog and share your experience with me.

Forefront Protection for Exchange 2010 (FPE) is unable to get updates from the Cloudmark Antispam Engine

Currently in our Exchange environment we were facing strange issues with the Forefront Protection for Exchange (FPE) on the Edge Servers

Issue Description:

Out of the 7 engines we are unable to get updates on the Cloudmark engine. (See picture)

Two event ids in the application event log as follows: (6019 and 6012)

Log Name:      Application
Source:        GetEngineFiles
Date:          9/9/2011 6:57:20 AM
Event ID:      6019
Task Category: Engine Error
Level:         Error
Keywords:      Classic
Computer:      Description:
Microsoft Forefront Protection encountered an error while performing a scan engine update.
Scan Engine: Cloudmark

Log Name:      Application
Source:        GetEngineFiles
Date:          9/9/2011 6:57:20 AM
Event ID:      6012
Task Category: Engine Error
Level:         Error
Keywords:      Classic
Description:
Microsoft Forefront Protection encountered an error while performing a scan engine update.
   Scan Engine: Cloudmark
   Error Code: 0x80004005
   Error Detail: Description: An error occurred while loading the scan engine.

We have already added the 4 URL’s on port 80 and 443 (cdn-microsupdates.cloudmark, lvc.cloudmark.com, pki.cloudmark.com and tracks.cloudmark.com) into our Cisco firewalls and the httpsinspection option is disable on the firewall. One strange thing we are noticing is the FPE client and Cloudmark server is resetting the connection as per the network trace

Resolution:

When running the two telnet tests, only the one to port 80 is successful. The one to port 443 fails.

telnet cdn-microupdates.cloudmark.com 80
telnet lvc.cloudmark.com 443

The connection errors you are seeing have been seen before and are due to the firewall still having a restriction to the ports. In this case, port 443 is still being block which is preventing the Micro Updates from coming through.

The networking team on our side figured out the URL were not getting resolved properly for https connections and they decided to add the IP address for all the URL’s instead of the names and problem got fixed.

lvc.cloudmark.com: 208.83.138.34

cdn-microsupdates.cloudmark.com: 93.184.215.73

pki.cloudmark.com: 208.83.136.39

crl.microsoft.com: 207.152.124.49, 205.177.95.229, 198.173.20.88

forefrontdl.microsoft.com: 198.63.194.0/24, 198.173.2.0/24, 207.109.221.0/24, 198.63.196.51, 205.234.218.11, 63.216.54.57, 69.31.106.35, 128.242.191.32, 207.152.124.91, 198.63.203.49, 205.234.225.152, 198.173.20.113, 63.236.252.201, 63.236.252.232, 69.31.102.90, 63.216.54.42, 209.18.42.152, 64.145.91.135, 64.145.91.126, 205.234.218.35

I hope this information would be useful for people troubleshooting FPE issues and will save atleast couple of days worth of troubleshooting efforts.
If you like this post please leave your comments and don’t forget to say thanks.

Best Regards,

Aresh Sarkari

 


1 comment:

Hany said...

Very Good Aresh,
I've exactly the same issue, and I'm letting servers to go through firewall to any url or IP address.
But I still having the same Events 6012, and 6019 when any attempt to update Cloudmark.
If you have any further help, that would be appreciated.

My Blog List